M50155

Win Internals for IT

Course Title: Win Internals for IT

Course Code: M50155 Version: ALevel: 300Duration: 5 Days

Course Overview

The Win Internals for IT M50155 instructor-led training course has been designed to provide candidates with the necessary skills and knowledge required to debug and troubleshoot low-level Windows applications. The course provides a detailed view of the Windows operating system architecture, its key components, undocumented interfaces and core interactions through the use of debugging utilities, inspection tools and exercises.

Target Audience

Candidates who should consider attending the M50155 Microsoft training course are escalation and support engineers with substantial experience administering and troubleshooting applications and systems on Windows.

Course Objectives

On successfully completing the M50155 course candidates will be able to:

Use debugging tools to troubleshoot user-mode and kernel-mode issues

Appreciate the relationships between system components and their interactions with each other

Improve application performance by understanding how the system behaves internally

Course Prerequisites

Candidates attending the M50155 Microsoft training course should be familiar with the Windows operating system on a power-user level and operating systems concepts (multiprocessing, thread scheduling, virtual memory) is preferable but not a must. Candidates are also required to have a working knowledge of the C or C++ programming language - exempt from Modules 1-2 of the course and proficiency in Win32 programming - exempt from Modules 3-4 of the course.

Testing and Certification

The M50155 Microsoft training course is the recommended preparation for the 70-660 TS: Windows Internals exam.

Course Content

Module 1: Computer Architecture Refreshment

In this module candidates will learn how the modern computer is constructed and how programmes execute on this computer architecture.

In this module candidates will learn how to approach the Windows operating system using various APIs including Win32, and the motivation, history and design goals of Windows.

Lessons:

The Evolution of Windows: Windows 1.0 through Windows Vista

Back to 1989: Windows NT Design Goals

Windows Versions and Editions

Windows Programming Interfaces: Win32, COM, .NET

After completing this module, candidates will be able to:

Explain the primary differences between the various Windows versions and product editions

Appreciate the design goals of Windows NT as they are threaded into the Windows operating system

Understand the pros and cons of Windows programming interfaces

Module 4: Win32 Programming Primer

In this module candidates will learn how the operating system implements windows, message passing between windows, kernel objects and handles, processes and threads and synchronisation mechanism. This module also serves as an exposition to provide a common ground for examining system internals.

Lessons:

Introduction to Win32 API Paradigms

Windows and Window Procedures

Message Loops and Window Messages

Kernel Objects and Handles

Creating, Using and Sharing Objects

Processes and Threads

Synchronisation Mechanisms

Structured Exception Handling

An Introduction to NT File System (NTFS)

Dynamic Link Libraries (DLLs) and Loading

Inter-Process Communication

Lab: Basic Win32 Concepts

Theoretical questions about Win32 basic concepts

After completing this module, candidates will be able to:

Describe Win32 APIs and understand how to properly use them

Understand basic concepts in the Win32 programming model

Module 5: Tools

In this module candidates will learn how to use troubleshooting, inspection and debugging tools to examine the internals of the operating system and troubleshoot Windows applications. This module exposes the tools only briefly - crash analysis is covered in Modules 15-16.

Lessons:

Sysinternals Tools - Process Explorer, Process Monitor

Resource Kit and Support Kit Tools

Debugging Tools for Windows

Understanding Debugging Symbols

Kernel Debuggers

Lab: Symbols, Process Explorer and WinDbg

Setting up debugging symbols using environment variables

Configuring symbols in Process Explorer and inspecting thread stacks

First steps with WinDbg local kernel debugging

Lab: Virtual Kernel Debugging (Optional)

Setting up kernel debugging with a virtual machine as the target

After completing this module, candidates will be able to:

Use troubleshooting tools to understand why applications misbehave

Inspect the system`s inner workings through a kernel debugger

Configure debugging-related behaviour for user-mode applications

Module 6: System Architecture

In this module candidates will learn how to classify Windows system components and processes, how hard-wired system processes interact and what architectural decisions were made in the design of Windows.

Lessons:

Kernel-Mode vs. User-Mode Execution

Primary System Components

Types of User-Mode Processes

Hard-Wired System Processes

After completing this module, candidates will be able to:

Explain why the operating system and CPU provide the distinction between kernel-mode and user-mode execution privilege rings

Appreciate the relationships between the primary system components

Understand the purpose of each user-mode process type including system services, environment subsystems and standard applications

Understand the importance of each hard-wired system processes and their relationship hierarchy

Module 7: Startup and Shutdown

In this module candidates will learn how to troubleshoot Windows start-up and shutdown and what components are involved in the start-up and shutdown process.

Lessons:

Windows Startup - from Setup to Shell

Windows Shutdown - Applications, Services and Drivers

After completing this module, candidates will be able to:

Troubleshoot the Windows start-up process, including boot configuration, start-up processes, last known good configuration and safe mode

Using the Performance Monitor system performance data collector set to obtain statistics on DPCs, interrupts, network activity, file system access and memory usage

Using the Reliability Monitor to analyse system stability, driver installations, application failures and Windows failures

After completing this module, candidates will be able to:

Understand the various types of structured exception handling and when each should be used

Understand the implications of the IRQL on system stability and responsiveness

Use APCs for delayed asynchronous processing in user-mode applications

Inspect the behaviour of various system mechanisms on a live system

Module 9: Process and Thread Internals

In this module candidates will learn how to create operating system processes and threads and how to inspect their internal data structures in a kernel debugger.

Lessons:

Process Data Structures: Kernel, Executive, Environment Subsystem

Process Creation Flow

Thread Data Structures: Kernel, Executive, Environment Subsystem

Thread Creation Flow

Lab: Examining Processes and Threads

Determining whether a thread is a UI thread or not using the system service table pointer in the thread`s kernel data structure

After completing this module, candidates will be able to:

Understand the flow of process and thread creation

Inspect the behaviour of threads and processes on a system using a kernel debugger

Module 10: Thread Scheduling

In this module candidates will learn how to properly interact with the operating system with regard to thread creation, thread priorities and multiprocessing on a multi-processor system. The module focuses on priority boosts, quantum boosts, thread processor affinity and other specific optimisations for multi-processor scheduling.

Lessons:

Thread Scheduling in a Pre-emptive Multitasking Operating System

Thread Execution States and Transitions

Dispatcher Database

Quantum Length, Tuning and Boosts

Thread Priority and Priority Boosts

Thread Scheduling on a Multi-Processor System

Thread CPU Affinity and Non-Uniform Memory Access (NUMA)

After completing this module, candidates will be able to:

Tune the system by changing the foreground quantum boost, the quantum length and other parameters

Schedule threads for execution on multi-processor system and carefully assign CPU affinities to threads if necessary

Understand the implications of multi-processor CPU scheduling and NUMA considerations

Module 11: Synchronisation Mechanisms

In this module candidates will learn how to use synchronisation mechanisms to control thread execution and access to shared resources, and how to diagnose deadlocks and other problems arising from the use of synchronisation mechanisms.

Lessons:

Concurrency and the Need for Synchronisation

Kernel Synchronisation: IRQL, Spinlocks and Queued Spinlocks

Executive Synchronisation: Dispatcher Objects and Wait Blocks

Waiting for and Signalling Dispatcher Objects

Tracing Dispatcher Objects and Wait Chain Traversal

After completing this module, candidates will be able to:

Choose the most appropriate synchronisation mechanism for the task

Appreciate how dispatcher objects become signalled

Trace through dispatcher objects and wait blocks in a kernel debugger

Use Wait Chain Traversal to diagnose deadlocks and wait chains in user-mode applications

Module 12: The Memory Manager

In this module candidates will learn how to interact with the Windows Memory Manager in order to allocate, reserve and commit memory, share memory between processes, protect memory and lock pages into physical memory.

Lessons:

Virtual Memory and Paging

Allocating Memory: Reserve, Commit, Heap

Address Space Layout: User-Mode and Kernel-Mode , 32-bit and 64-bit

Virtual Address Translation, Translation Look-Aside Buffer (TLB)

Protecting Memory

Locking Pages into Memory, Address Windowing Extensions (AWE)

System Memory Pools and Look-Aside Lists

Working Set Management: Fetch, Placement and Replacement Policies

Page Frame Number (PFN) Database

After completing this module, candidates will be able to:

Allocate memory using the most appropriate mechanism for the task, including reserving and committing memory on demand

Share memory between processes and protect memory from being read, written or executed improperly

Tune working set management for applications to achieve less paging and better performance

Module 13: The I/O System

In this module candidates will learn how to examine the various components comprising the Windows I/O system and briefly reviews the basic infrastructure of Windows device drivers, the power manager and the Plug-and-Play (PNP) manager.

Lessons:

The I/O Manager, Power Manager and Plug-and-Play Manager

Device Driver Structure

I/O Data Structures: File Objects, Driver Object, Device Object

I/O Flow: I/O Request Packets

A Glimpse Towards Windows Driver Foundation (WDF)

After completing this module, candidates will be able to:

Examine I/O data structures to identify drivers, devices and files

Trace the flow of I/O request packets through the I/O system

Appreciate the role of power management and Plug-and-Play in the Windows I/O system

Module 14: The Cache Manager

In this module candidates will learn how to use the Windows file system cache manager to achieve better performance for applications which rely heavily on the file system.

Lessons:

Operating System File Caching vs. CPU Caching

Cache Structure: Cache Control Blocks, Private Control Blocks

Cache Operation: Read and Write, Fast I/O

Controlling the Cache Manager: Hints to CreateFile

After completing this module, candidates will be able to:

Provide hints to the cache manager to achieve better performance for applications which rely on the file system

Understand the structure and operation of the file system cache and the fast I/O path

Module 15: User-Mode Debugging

In this module candidates will learn how to debug live user-mode applications and examine crash dumps or hang dumps obtained from user-mode applications.

Lessons:

Understanding the Role of Debugging Symbols

Generating Dump Files: Crash and Hang Scenarios

Debugging Application Crashes

Debugging Application Hangs and Deadlocks

Lab: User-Mode Dumps and Debugging

Analysing a simple crash in an application by generating and opening a crash dump

Detecting a deadlock condition between critical sections in the debugger

Pinpointing a problem with file system and registry access by an application

Obtain dumps of running processes for later analysis in hang or crash scenarios

Debug common issues such as crashes, hangs, deadlocks and invalid handles

Module 16: Kernel-Mode Debugging

In this module candidates will learn how to debug kernel-mode dumps obtained from a crashed or hung Windows system.

Lessons:

Blue Screen of Death: When Does the Operating System Crash?

Manually Obtaining a Dump of the System

Debugging Crashes

Using Driver Verifier to Pinpoint Faulting Drivers

Lab: Kernel-Mode Dumps

Opening a minidump and finding the faulty driver

Crashing the system and finding the faulty driver using Driver Verifier to reproduce the problem

After completing this module, candidates will be able to:

Obtain dumps of the entire system for later analysis

Debug common crashes and understand the reasons for Windows crashes

Use Driver Verifier to detect faulty drivers

Module 17: What`s Different in 64-Bit Windows?

In this module candidates will learn how to port 32-bit applications to 64-bit Windows, how to execute 32-bit and 64-bit applications side-by-side and how to take advantage of the 64-bit Intel/AMD processor architecture.

Lessons:

64-Bit Processor Architecture (AMD64)

Windows on Windows 64 (WOW64) Architecture

File System and Registry Redirection and Virtualization

Performance Improvements on 64-Bit Windows

After completing this module, candidates will be able to:

Port existing 32-bit applications to 64-bit Windows or execute them natively using WOW64

Troubleshoot common issues with 32-bit applications on 64-bit Windows

Additional Reading

To help prepare for this class, candidates are recommended to review the following resources:

PLEASE NOTE: Every effort has been made to ensure the accuracy of all information contained herein. IT Help and Support Centre Ltd makes no warranty expressed or implied with respect to accuracy of this information, including price, product editorials or product specifications. IT Help and Support Centre Ltd or its suppliers shall not be liable for incidental, consequential or special damages arising from, or as a result of, any electronic transmission or the accuracy of the information contained herin, even if IT Help and Support Centre Ltd has been advised of the possibility of such damages. Product and manufacturer names are used only for the purpose of identification.

This Website is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, Cisco IOS, Cisco Systems, the Cisco Systems logo, and Networking Academy are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this web site are the property of their respective owners.